Researchers Find Flaws in WPA2's 4-way Handshake Implementations

Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

The discovery was the result of simulating cryptographic primitives during symbolic execution for the analysis of security protocol implementations, KU Leuven researchers Mathy Vanhoef and Frank Piessens explain in a recently published whitepaper (PDF).

By applying the technique on three client-side implementations of WPA2’s 4-way handshake, the researchers discovered timing side-channels when verifying authentication tags, a denial-of-service attack, a stack-based buffer overflow, and a non-trivial decryption oracle. [...]